Microsoft zaps botnet found pre-installed with counterfeit Windows

Microsoft announced today that it has taken action to disrupt an emerging botnet, called Nitol, that used victims’ PCs to conduct distributed denial of service attacks and gave cybercriminals backdoor access to install other malware or data. The disruption of the botnet was the culmination of a Microsoft operation codenamed “b70,” which was launched as the result of discoveries made during an investigation into the distribution of counterfeit software by computer resellers in China.

First, the company was granted temporary restraining orders against an individual named Peng Yong and his company based in Changzhou, China. Then, Microsoft took over hosting 3222.org—the domain hosting the Nitol botnet and “nearly 70,000 other malicious subdomains”—according to a blog post describing the operation written by Richard Domingues Boscovich, assistant general counsel for Microsoft’s Digital Crimes Unit. In addition to the Nitol command and control network, the domain hosted over 500 strains of various other malware, including trojans that record victims' keyboard entry and take control of PCs' Web cameras and microphones. The 3222.org domain has been tied to malware activity dating back to 2008.

Microsoft researchers in China initially discovered Nitol while investigating the sale of computers loaded with counterfeit copies of the Windows operating system. In August of 2011, members of Microsoft’s Digital Crimes Unit purchased 20 computers—a mix of laptops and desktops—from computer resellers across China. Four of the computers purchased were found to be pre-infected with malware, including one with the Nitol botnet. Nitol was the only malware found that actively attempted to connect to a command and control network.

Nitol provided attackers with an HTTP-based backdoor to infected computers. It distributes itself as a dynamic link library called LPK.DLL, the name of a software module that gets called by all Windows applications with a user interface. Nitol copies itself when activated into any directory that has executable programs in it—including those on USB drives and other removable media. By default, applications look in the directory they’re installed in for DLLs before looking in other directories defined by the system. So this virus is able to get the applications installed on the PC to load it without having to fool users into installing anything.

By default, applications look in the directory they’re installed in for DLLs before looking in other directories defined by the system. So this virus is able to get the applications installed on the PC to load it without having to fool users into installing anything.

Hmm, wouldn't a simple and easy to implement security measure be for the OS to only look in the system folder for important windows dlls?

By default, applications look in the directory they’re installed in for DLLs before looking in other directories defined by the system. So this virus is able to get the applications installed on the PC to load it without having to fool users into installing anything.

Hmm, wouldn't a simple and easy to implement security measure be for the OS to only look in the system folder for important windows dlls?

at which point the malware would just patch the OS list to remove the dll it was impersonating; at which point when foo.exe requested bar.dll the standard behavior for an app specific dll would trigger an initial search in the apps folder and load the malware bar.dll instead of the OS dll.

By default, applications look in the directory they’re installed in for DLLs before looking in other directories defined by the system. So this virus is able to get the applications installed on the PC to load it without having to fool users into installing anything.

Hmm, wouldn't a simple and easy to implement security measure be for the OS to only look in the system folder for important windows dlls?

at which point the malware would just patch the OS list to remove the dll it was impersonating; at which point when foo.exe requested bar.dll the standard behavior for an app specific dll would trigger an initial search in the apps folder and load the malware bar.dll instead of the OS dll.

There's also the fact many of these DLLs change over time and a program might be compiled against a specific version. It's common for PC games to install its preferred version of DirectX DLLs into the game folder itself (or for gamers to place one there for better performance).

Even reading the headline would have told you that "free" was never involved.

From the first paragraph:

Quote:

The disruption of the botnet was the culmination of a Microsoft operation codenamed “b70,” which was launched as the result of discoveries made during an investigation into the distribution of counterfeit software by computer resellers in China.

By default, applications look in the directory they’re installed in for DLLs before looking in other directories defined by the system. So this virus is able to get the applications installed on the PC to load it without having to fool users into installing anything.

Hmm, wouldn't a simple and easy to implement security measure be for the OS to only look in the system folder for important windows dlls?

This is a known attack vector. The problem is that it's also a behavior that Windows has employed for so long, that changing it would break a lot of program that expect the DLL to be in the current running directory to work. It's not an easy choice to make when you have such a large install base.

I can't presume to know their whole reasoning and their proposed solution. You'll have to look that up elsewhere.

Dude, don't be obtuse. You know very well this was malware being sold to people. This is why you pro-copyright advocates aren't taken seriously in these threads - you have to lie to justify your opinion or make a point.

Zak wrote:

Ostracus wrote:

Bet this is a side of "free" most advocates don't see.

Just a random troll, eh? You could at lest pretend that you've read the article.

He's not a random troll, he's a dedicated copyright troll. You'll find him making stupid comments like that in most articles even peripherally related to piracy or copyright.

Actually, his comments aren't usually that stupid. Maybe he's drunk or something.

How would anyone get counterfeit Windows today? You can go to digitalriver and download an actual, Microsoft approved, ISO image of Windows 7 without having to buy anything.

Seems like insanity here that people are still being hit like this.

Ok, you've seriously missed something here, probably because you made false assumptions based on the headline.

The botnet victims are people that bought a computer with the OS already on it. The computer was pre-loaded with Windows, this was not a version of Windows downloaded on the 'net. The very first paragraph says it was a MS "investigation into the distribution of counterfeit software by computer resellers in China". The third paragraph says the malware was discovered while "investigating the sale of computers loaded with counterfeit copies of the Windows operating system."

Read, don't assume. Because when you assume, you make ...

bluechill wrote:

Nom wrote:

Er, you still have to purchase the licence key, otherwise how are you going to install the .iso version you just downloaded ?

DAZ Loader... works on every version of windows and activates it and even makes it genuine.

DAZ Loader is good, true. I've previously used... Orbital30, I think? (It's been a while.) That worked like a dream, too.

MS doesn't really give a shit about the people that knowingly pirate Windows, MS understand that's a battle they can't win, ever. Instead they're going after the commercial pirates (counterfeiters) that actually do cost MS money. I completely support that.

Talking about the DAZ Loader is pretty stupid here, unless you actually own a copy of Windows.

I own 3 copies of Windows 7 for all three of my machines. All "Professional" Editions. So why do I use the loader instead of my keys? Because I don't want to answer to anyone why I am installing or resinstalling for the nth time. When Windows gets slow for me, I blow it away and reinstall it. If I do that too many times I have to call Microsoft each time to activate, and that's such a pain.

Dude, don't be obtuse. You know very well this was malware being sold to people. This is why you pro-copyright advocates aren't taken seriously in these threads - you have to lie to justify your opinion or make a point.

What size brush did you say you were using again?

Quote:

Zak wrote:

Ostracus wrote:

Bet this is a side of "free" most advocates don't see.

Just a random troll, eh? You could at lest pretend that you've read the article.

He's not a random troll, he's a dedicated copyright troll. You'll find him making stupid comments like that in most articles even peripherally related to piracy or copyright.

Actually, his comments aren't usually that stupid. Maybe he's drunk or something.

Talking about the DAZ Loader is pretty stupid here, unless you actually own a copy of Windows.

It's not stupid, it's honest. You can't discuss this sort of stuff without actually being honest about your situation, your experience, or your how you use the software you have. If you need to hide what you do, you may as well not post.

Quote:

I own 3 copies of Windows 7 for all three of my machines. All "Professional" Editions. So why do I use the loader instead of my keys? Because I don't want to answer to anyone why I am installing or resinstalling for the nth time. When Windows gets slow for me, I blow it away and reinstall it. If I do that too many times I have to call Microsoft each time to activate, and that's such a pain.

Totally agree. I have one licence for Win7, and I use a loader too, for mostly the same reasons (though I actually have it installed on both my desktop and netbook).

I also have a boxed copy of Starcraft and Broodwar, yet I have a cracked version I use. Before Blizzard stopped requiring the CD to be in the drive (even though my netbook doesn't have a CD drive), I used to have to crack it to be able to play. They don't require it anymore (for Warcraft III, either), but I found it a pain at the time, so my bought copies remain unopened to this day.

My understanding is most modern games have install limits - now that's stupid. It's just asking to be cracked. Requiring always on connections are the same, you're begging people to crack your software. Selling only half a game, Starcraft II style, doesn't help - people will just use StarFriend or something to play the game on a LAN.

The more you try to cripple your product, the more reason there is to crack it. It's that simple. MS understand this, so they have a basic hurdle you have to jump, and that's it. MS will chase commercial pirates only, unlike Blizzard, Apple, or Ubisoft, who lock-down or cripple their product for paying customers.

Oh snap! Anyway you know full well "you pro-copyright advocates" is generalizing.

While my comment was directed at you, I tried to phrase it the same way you had phrased your statement, intending irony (which in hindsight obviously backfired).

Quote:

Your personal feelings about me don't change that.

You probably have a complete misunderstanding of my personal feelings - seriously, otherwise you'd be on my ignore list as the General suggests.

Major General Thanatos wrote:

Successful troll is successful!

Guys, put him on ignore and move on with life.

I've put many a copyright troll on my ignore list, but not people like Ostracus or Reflex-croft. Outside of a piracy/counterfeit thread, they've contributed well to conversations (unlike trolls such as d_jedi or darkpill, for example).

As I said above, his comments aren't normally that retarded (and he hasn't continued with that strawman since it was pointed out).

By default, applications look in the directory they’re installed in for DLLs before looking in other directories defined by the system. So this virus is able to get the applications installed on the PC to load it without having to fool users into installing anything.

Hmm, wouldn't a simple and easy to implement security measure be for the OS to only look in the system folder for important windows dlls?

Technically maybe, but not really outside of very contrived cases. Yeah you can put a DLL in Program X's folder and load that instead of a windows DLL. However if an attacker can do that you have another much more direct attack vector... just overwrite/modify Program X's executable instead.

This isn't 100% true because it is possible that all of Program X's executable files and libraries have more restrictive ACLs than the immediate folder they're in, but I can't ever recall seeing that done intelligently.

This is also why programs get installed into a folder that requires administrator to modify (program files).

There was a more serious variant of this (windows used to check the current directory before system directories, which is definitely exploitable), but that's long fixed.

Having been there and tried it, here is what seems typical. You wander into a building which is a twisty maze of hundreds of booths displaying various machines with Linux preinstalled. You pick somewhere to haggle, make a deal, then a boothbabe is assigned to take you to collect your machine. You head on upstairs to a stockroom that turns out to be the backoffice for a large subset of the booths downstairs, and finish haggling over color, accessories, etc. Then they bring out the shiny ASUS and show it to you, unpack and turn on (common for all electronics purchases in China). At that point rather than repack it (which is what would happen with, say, a TV) they say "XP or 7?" and you say huh, then once you figure it out you say 7 (which seems to surprise the guy, apparently everyone asks for XP) and he gets out a USB key and 10 minutes later a pirate image has landscaped your drive (Linus, hah!) along with, just to show there is no chauvism going on, pirated versions of Office plus every popular Chinese app (mostly what seems to be a dozen competing Input Method Editors). Oh, and with a practiced set of clicks and keystrokes which fly past in a blur, all the defensive checks and updates are bypassed.

You are now the proud owner of an undefended, outdated, and (according to this article) probably intrinsically infested version of Windows 7. If you are a typical Chinese home user you will use your XP with pride, stopping every 15 seconds or so to shut down some malware dialog blocking your screen and totally oblivious to the cute icon of the useless app pretending to be an antivirus, which itself is as irritating as Clippie. Ah, the delights of the pirate main!

so effectively, a shady OEM in China decided to "preload" his preferred infection straight onto fresh installs of the computers they were selling. That's pretty low and why it is just safer to buy from a big name brand - although they aren't 100% immune to this. I believe Acer or another brand accidentally infected new machines because the thumbdrive they were using was transferring infections to the fresh installs.

What in the heck are talking about? This has nothing to do with Opensource. This is shady Chinese computer stores selling illegal copies of windows on PC's that they have also infected with malware. Please explain how you are not completely ignorant by telling us what exactly this has to do with open source software or anything related to the article whatsoever?

When you buy a pre owned computer, first thing to do is, scan it with a good security software, Update windows and update antivirus. Most of the virus infections happens when you download free software or when watching online videos. News about latest virus threat found at http://www.cleanpcguide.com/remove-gend ... ale-virus/

Sean Gallagher / Sean is Ars Technica's IT Editor. A former Navy officer, systems administrator, and network systems integrator with 20 years of IT journalism experience, he lives and works in Baltimore, Maryland.